Author: Markus Moeller <huaraz@moeller.plus.com>

Bug 2710: squid_kerb_auth non-terminated string

diff --git a/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c b/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c
index 17f509d1b81603e66f1243be0e358948d6afc605..368f01bf880dd9a53117066f966835772f352ffd 100644 (file)
--- a/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c
+++ b/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c
@@ -208,6 +208,7 @@ int main(int argc, char * const argv[])
 {
     char buf[MAX_AUTHTOKEN_LEN];
     char *c;
+    char *user=NULL;
     int length=0;
     static int err=0;
     int opt, debug=0, log=0;
@@ -508,11 +509,20 @@ int main(int argc, char * const argv[])
 
             if (check_gss_err(major_status,minor_status,"gss_display_name()",debug,log) )
                 goto cleanup;
-            fprintf(stdout, "AF %s %s\n",token,(char *)output_token.value);
+            user=xmalloc(output_token.length+1);
+            if (user == NULL) {
+               if (debug)
+                  fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), PROGRAM);
+               fprintf(stdout, "BH Not enough memory\n");
+               goto cleanup;
+            }
+            memcpy(user,output_token.value,output_token.length);
+            user[output_token.length]='\0';
+            fprintf(stdout, "AF %s %s\n",token,user);
             if (debug)
-                fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, token,(char *)output_token.value);
+                fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, token,user);
             if (log)
-                fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);
+                fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, user);
             goto cleanup;
         } else {
             if (check_gss_err(major_status,minor_status,"gss_accept_sec_context()",debug,log) )
@@ -532,11 +542,23 @@ int main(int argc, char * const argv[])
             /*
              *  Return dummy token AA. May need an extra return tag then AF
              */
-            fprintf(stdout, "AF %s %s\n","AA==",(char *)output_token.value);
+            user=xmalloc(output_token.length+1);
+            if (user == NULL) {
+               if (debug)
+                  fprintf(stderr, "%s| %s: Not enough memory\n", LogTime(), PROGRAM);
+               fprintf(stdout, "BH Not enough memory\n");
+               goto cleanup;
+            }
+            memcpy(user,output_token.value,output_token.length);
+            user[output_token.length]='\0';
+            if (norealm && (p=strchr(user,'@')) != NULL) {
+                *p='\0';
+            }
+            fprintf(stdout, "AF %s %s\n","AA==",user);
             if (debug)
-                fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, "AA==", (char *)output_token.value);
+                fprintf(stderr, "%s| %s: AF %s %s\n", LogTime(), PROGRAM, "AA==", user);
             if (log)
-                fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, (char *)output_token.value);
+                fprintf(stderr, "%s| %s: User %s authenticated\n", LogTime(), PROGRAM, user);
 
 cleanup:
             gss_release_buffer(&minor_status, &input_token);
@@ -562,6 +584,10 @@ cleanup:
                 xfree(token);
                 token=NULL;
             }
+            if (user) {
+                xfree(user);
+                user=NULL;
+            }
             continue;
         }
     }